Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Adobe Fixes Six Code Execution Bugs in Flash

Adobe fixed seven vulnerabilities, six that could lead to code execution, in Flash Player on Tuesday.

Adobe on Tuesday patched seven vulnerabilities in Flash Player, six that could lead to code execution. The company said it isn’t aware of any of the vulnerabilities being exploited in the wild but is still encouraging users to update Flash for Windows, Macintosh, Linux and Chrome OS.

The vulnerabilities exist in versions 24.0.0.221 and earlier of Flash, according to a security bulletin issued by the company Tuesday morning.

Adobe is warning the six bugs–a buffer overflow vulnerability, two memory corruption vulnerabilities, and a trio of use-after-free vulnerabilities–could be exploited to trigger code execution. The lone bug that doesn’t lead to code execution stems from a random number generator vulnerability. That vulnerability, dug up by two researchers at Nanyang Technological University in Singapore, Wang Chenyu, and Wu Hongjun, could lead to information disclosure if exploited.

Users can apply the update, 25.0.0.127, through the usual distribution channels. Google Chrome and Microsoft Edge and Internet Explorer 11 users will receive the updates automatically. Devotees of Flash Player Desktop Runtime for Windows, Macintosh and Linux are being urged to update via the program’s update mechanism.

Versions 12.2.7.197 and earlier of the multimedia software plugin contained a vulnerability that if exploited could lead to escalation of privilege, a security bulletin warned. The vulnerability stemmed from Shockwave’s directory search path. The patched version, 12.2.8.198, is available at Adobe’s Shockwave Player Download Center.

Adobe has stuck by its usual Patch Tuesday patching schedule so far in 2017.

In January it pushed out 13 patches, 12 that could have led to remote code execution; in February the company patched 13 vulnerabilities, all which could have led to code execution in the software.

With this year’s iteration of Pwn2Own, the annual hacking challenge held in tandem with CanSecWest in Vancouver, set to kick off tomorrow it could be only a matter of days until Adobe releases a set of emergency updates for Flash.

Hackers took down Flash on the first day of Pwn2Own last year and earned $13,000 in the process. One group of hackers combined a type confusion bug in Flash with a Windows kernel bug while another group exploited an out-of-bounds bug in the platform and chained it together with an infoleak in Windows kernel.

For this year’s contest competitors can earn $50,000 for exploiting Flash in Microsoft Edge and another $30,000 if their exploit achieves SYSTEM-level code execution.

The most serious vulnerabilities in Cisco’s 8800 Series IP Phones could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack or write arbitrary files to the filesystem.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.